<p>Arbitrary OS command injection vulnerabilities are more likely when a shell is spawned rather than a new process, indeed shell meta-chars can be
used (when parameters are user-controlled for instance) to inject OS commands.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> OS command name or parameters are user-controlled. </li>
</ul>
<p>There is a risk if you answered yes to this question.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>Use functions that don’t spawn a shell.</p>
<h2>Sensitive Code Example</h2>
<pre>
const cp = require('child_process');

// A shell will be spawn in these following cases:
cp.exec(cmd); // Sensitive
cp.execSync(cmd); // Sensitive

cp.spawn(cmd, { shell: true }); // Sensitive
cp.spawnSync(cmd, { shell: true }); // Sensitive
cp.execFile(cmd, { shell: true }); // Sensitive
cp.execFileSync(cmd, { shell: true }); // Sensitive
</pre>
<h2>Compliant Solution</h2>
<pre>
const cp = require('child_process');

cp.spawnSync("/usr/bin/file.exe", { shell: false }); // Compliant
</pre>
<h2>See</h2>
<ul>
  <li> OWASP - <a href="https://owasp.org/Top10/A03_2021-Injection/">Top 10 2021 Category A3 - Injection</a> </li>
  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A1_2017-Injection">Top 10 2017 Category A1 - Injection</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/78">CWE-78 - Improper Neutralization of Special Elements used in an OS Command</a> </li>
</ul>
